ISP Privacy Principles

ISPs understand the trust our customers place in us, and we are committed to protecting our customers’ privacy and safeguarding their information. For 20 years, we have implemented policies and practices that are consistent with the FTC’s widely respected and effective privacy framework and other federal and state privacy laws. This framework helped drive the success of today’s Internet ecosystem by balancing consumer protection with the flexibility necessary to innovate. We understand the importance of maintaining our customers’ trust. That is why we will continue to provide consumer privacy protections, while at the same time meeting consumers’ expectations for innovative new product solutions to enhance their online experiences. Regardless of the legal status of the FCC’s broadband privacy rules, we remain committed to protecting our customers’ privacy and safeguarding their information because we value their trust. As policymakers evaluate the issues, we will maintain consumer protections that include the following:

Transparency. ISPs will continue to provide their broadband customers with a clear, comprehensible, accurate, and continuously available privacy notice that describes the customer information we collect, how we will use that information, and when we will share that information with third parties.

Consumer Choice. ISPs will continue to give broadband customers easy-to-understand privacy choices based on the sensitivity of their personal data and how it will be used or disclosed, consistent with the FTC’s privacy framework. In particular, ISPs will continue to: (i) follow the FTC’s guidance regarding opt-in consent for the use and sharing of sensitive information as defined by the FTC; (ii) offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing; and (iii) rely on implied consent to use customer information in activities like service fulfillment and support, fraud prevention, market research, product development, network management and security, compliance with law, and first-party marketing. This is the same flexible choice approach used across the Internet ecosystem and is very familiar to consumers.

Data Security. ISPs will continue to take reasonable measures to protect customer information we collect from unauthorized use, disclosure, or access. Consistent with the FTC’s framework, precedent, and guidance, these measures will take into account the nature and scope of the ISP’s activities, the sensitivity of the data, the size of the ISP, and technical feasibility.

Data Breach Notifications. ISPs will continue to notify consumers of data breaches as appropriate, including complying with all applicable state data breach laws, which contain robust requirements to notify affected customers, regulators, law enforcement, and others, without unreasonable delay, when an unauthorized person acquires the customers’ sensitive personal information as defined in these laws.

These principles are consistent with the FTC’s privacy framework, which has proved to be a successful privacy regime for many years and which continues to apply to non-ISPs, including social media networks, operating systems, search engines, browsers, and other edge providers that collect and use the same online data as ISPs. That framework has protected consumers’ privacy while fostering unprecedented investment and innovation. The principles are also consistent with the FCC’s May 2015 Enforcement Advisory, which applied to ISPs for almost two years while the FCC’s broadband privacy rules were being considered.

The above principles, as well as ISPs’ continued compliance with various federal and state privacy laws, will protect consumers’ privacy, while also encouraging continued investment, innovation, and competition in the Internet ecosystem.